In this follow-up to his article on SSH client software security settings, John Tränkenschuh describes the settings and implementation details important to your OpenSSH server installation. Because an OpenSSH server functions as a VPN gateway as much as a means to transfer files and invoke commands remotely, it's important to get this right.

Like this article? We recommend

My previous article in this series discussed SSH client security settings. To
summarize, if you can’t control installations of rogue SSH clients, your
only control is to limit outbound access through firewalling or other
network-layer controls. Another of my articles discusses the
issues
with allowing outbound SSH access to the Internet. If unmonitorable tunnels into
your intranet are not a concern, then you have the following goals:

Securing the user’s private key

Ensuring that the authentication of SSH servers isn’t disabled (or too
trivially reconfigured by users automatically trusting any and all server
keys)

Making sure that files sourced at SSH startup aren’t hacked, etc.

There, that was easy.

Before you read this article, please review the OpenSSH man pages for the
daemon and the OpenSSH client. OpenSSH has a
pretty righteous FAQ
as well. Review all the technical background yourself, because I can’t do
that in this article. Consider a good SSH book, and go to
Safari to
check out the hundreds of hits from many, many books.

SSH Servers: A Basic Risk Analysis

How do you secure your SSH servers? What are the total risks of such servers
to your organization? You’re well aware of the possibility of people
hacking your server and getting unauthorized access. That’s bad. But there
are other risks. The SANS Institute’s Top 20 risk list really stresses SSH risks. If compromised, that host can be a router/forwarder
that will forward any kind of traffic to any host the p0wned box can
access—even your "secured" hosts given Internet Assigned Numbers
Authority (IANA) reserved IP addresses. (Read RFC 3330 and RFC 1918 for the gory details on these addresses.) In most cases, those addresses
aren’t accessible over the Internet.

More of a concern is your host’s threat to the rest of the Internet.
With poor security, the unmonitorable SSH pipe leads from your host to the
Internet itself. What will you do when your mail servers are blacklisted because
of your machine being every spammer’s holiday present? Poorly secured SSH
servers are a threat both to your organization and to other organizations, and
just may get you blacklisted. Obviously, it’s important to secure these
servers.

TIP

SSH has been on many researchers’ radars. Dug Song, the great security
researcher, has created some great tools;
for example, check out his SSHMitM. This tool is aimed primarily at Protocol 1
SSH servers, a point important to remember as you read this article.

Server security offers many more options than client security. It’s
important to establish your baseline server security before configuring the
first OpenSSH server. Let’s dive in.